kjs/JSObject.h:
(JSC::JSObject::getDirect): Rename getOffset -> get
(JSC::JSObject::getDirectLocation): Rename getOffset -> get
(JSC::JSObject::putDirect): Use propertyStorageCapacity to determine whether
or not to resize. Also, since put now returns an offset (and thus
addPropertyTransition does also) setting of the PropertyStorageArray is
now done here.
(JSC::JSObject::transitionTo):

kjs/PropertyMap.cpp:
(JSC::PropertyMap::checkConsistency): PropertyStorageArray is no longer
passed in.
(JSC::PropertyMap::operator=): Copy the delete offsets vector.
(JSC::PropertyMap::put): Instead of setting the PropertyNameArray
explicitly, return the offset where the value should go.
(JSC::PropertyMap::remove): Instead of removing from the PropertyNameArray
explicitly, return the offset where the value should be removed.
(JSC::PropertyMap::get): Switch to using the stored offset, instead
of the implicit one.
(JSC::PropertyMap::insert):
(JSC::PropertyMap::expand): This is never called when m_table is null,
so remove that branch and add it as an assertion.
(JSC::PropertyMap::createTable): Consistency checks no longer take
a PropertyNameArray.
(JSC::PropertyMap::rehash): No need to rehash the PropertyNameArray
now that it is completely out of band.

kjs/PropertyMap.h:
(JSC::PropertyMapEntry::PropertyMapEntry): Store offset into PropertyNameArray.
(JSC::PropertyMap::get): Switch to using the stored offset, instead
of the implicit one.

kjs/StructureID.h:
(JSC::StructureID::propertyStorageCapacity): Add propertyStorageCapacity
which is the current capacity for the JSObjects PropertyStorageArray.
It starts at the JSObject::inlineStorageCapacity (currently 2), then
when it first needs to be resized moves to the JSObject::nonInlineBaseStorageCapacity
(currently 16), and after that doubles each time.

Use #if ENABLE(feature) where possible, and #if ENABLE_feature where
Platform.h is not available, in preference to #ifdef ENABLE_feature.
#ifdef is wrong now that features are disabled by #defining
ENABLE_feature to 0.

Added C++ forward declaration for the NSURLAuthenticationChallenge class
so that the m_currentMacChallenge variable doesn't cause a
compilation error when ResourceHandleInternal.h is included from a C++ file.
Fixes: ​https://bugs.webkit.org/show_bug.cgi?id=21411

VM/Machine.cpp:
(JSC::Machine::unwindCallFrame): Update ExecState while unwinding call frames;
it now matters more to have a still-valid ExecState, since dynamicGlobalObject
will make use of the ExecState's scope chain.

Use information from the parser to detect whether an activation is
needed or 'arguments' is used, and emit explicit instructions to tear
them off before op_ret. This allows a branch to be removed from op_ret
and simplifies some other code. This does cause a small change in the
behaviour of 'f.arguments'; it is no longer live when 'arguments' is not
mentioned in the lexical scope of the function.

It should now be easy to remove the OptionaCalleeActivation slot in the
call frame, but this will be done in a later patch.

The problem is that dynamicGlobalObject had become O(N) in number
of call frames, but unwinding the stack for an exception called it
for every call frame, resulting in O(N2) behavior for an
exception thrown from inside deep recursion.

Instead of doing it that way, stash the dynamic global object in JSGlobalData.

VM/Machine.cpp:
(JSC::DynamicGlobalObjectScope::DynamicGlobalObjectScope): Helper class to temporarily
store and later restore a dynamicGlobalObject in JSGlobalData.
(JSC::DynamicGlobalObjectScope::~DynamicGlobalObjectScope):
(JSC::Machine::execute): In each version, establish a DynamicGlobalObjectScope.
For ProgramNode, always establish set new dynamicGlobalObject, for FunctionBody and Eval,
only if none is currently set.

VM/Machine.h:

kjs/ExecState.h:

kjs/JSGlobalData.cpp:
(JSC::JSGlobalData::JSGlobalData): Ininitalize new dynamicGlobalObject field to 0.

kjs/JSGlobalData.h:

kjs/JSGlobalObject.h:
(JSC::ExecState::dynamicGlobalObject): Moved here from ExecState for benefit of inlining.
Return lexical global object if this is a globalExec(), otherwise look in JSGlobalData
for the one stashed there.

This patch does not yet remove the branch, but it does a bit of refactoring
so that a CodeGenerator now knows whether the associated CodeBlock will need
a full scope before doing any code generation. This makes it possible to emit
explicit tear-off instructions before every op_ret.

(1) A repatch offset offset changes due to an additional instruction to update SamplingTool state.
(2) Fix an incusion order problem due to ExecState changes.
(3) Change to a MACHINE_SAMPLING macro, use of exec should now be accessing global data.

If we hit a parsing boundary (end of a packet, etc) in the middle of a
<script> element when we are doing an incremental parse, we exit the
parser, and reenter later when more data is available. During this
reentry we incorrectly reset the scriptStartLineno to the current line
in the parser, which is now part way through the script element.

The solution is to track whether we are entering or reentering the parsing
of a script element. We do this simply by 0 checking scriptStartLineno,
and resetting it after we complete parsing of each script element.

De-obfuscate parseDataUrl() and fix regressions introduced in r35954.
This patch also fixes encoding support in escaped (non-Base64) data
URLs. All manual data URL tests now pass in both GLib and non-GLib
code paths.

WebCore.xcodeproj/project.pbxproj: Mark the inspector group as
not using tabs and a tab width of 8.

inspector/InspectorController.cpp:
(WebCore::addResourceSourceToFrame): Return a bool to report if the
source was added successfully or not.
(WebCore::addSourceToFrame): Ditto.

inspector/front-end/ScriptView.js:
(WebInspector.ScriptView.prototype.setupSourceFrameIfNeeded):
Return early if the InspectorController.addSourceToFrame fails.
Moved the delete of the _frameNeedsSetup property after that call so
if the source wasn't added it will be attempted again.

inspector/front-end/SourceView.js:
(WebInspector.SourceView.prototype.detach): Move a comment.
(WebInspector.SourceView.prototype.setupSourceFrameIfNeeded):
Don't check if the resource is finished or failed, just attempt
to add the source to the frame. WebCore has the source, but the
finished property hasn't been set yet. Return early if the
InspectorController.addSourceToFrame fails. Moved the delete
of the _frameNeedsSetup property after that call so if the source
wasn't added it will be attempted again.
(WebInspector.SourceView.prototype._resourceLoadingFinished):
Clear the _frameNeedsSetup and _sourceFrameSetup properties so
the source frame will we populated again now that the resource
load has finished.

10% faster on Richards; other v8 benchmarks faster too.
A wash on SunSpider.

This does the minimum necessary to get the speedup. Next step in
cleaning this up is to replace ExecState with a CallFrame class,
and be more judicious about when to pass a call frame and when
to pass a global data pointer, global object pointer, or perhaps
something else entirely.

VM/CTI.cpp: Remove the debug-only check of the exception in
ctiVMThrowTrampoline -- already checked in the code the trampoline
jumps to, so not all that useful. Removed the exec argument from
ctiTrampoline. Removed emitDebugExceptionCheck -- no longer needed.
(JSC::CTI::emitCall): Removed code to set ExecState::m_callFrame.
(JSC::CTI::privateCompileMainPass): Removed code in catch to extract
the exception from ExecState::m_exception; instead, the code that
jumps into catch will make sure the exception is already in eax.

VM/CTI.h: Removed exec from the ctiTrampoline. Also removed the
non-helpful "volatile". Temporarily left ARG_exec in as a synonym
for ARG_r; I'll change that on a future cleanup pass when introducing
more use of the CallFrame type.
(JSC::CTI::execute): Removed the ExecState* argument.

VM/Machine.cpp:
(JSC::slideRegisterWindowForCall): Removed the exec and
exceptionValue arguments. Changed to return 0 when there's a stack
overflow rather than using a separate exception argument to cut
down on memory accesses in the calling convention.
(JSC::Machine::unwindCallFrame): Removed the exec argument when
constructing a DebuggerCallFrame. Also removed code to set
ExecState::m_callFrame.
(JSC::Machine::throwException): Removed the exec argument when
construction a DebuggerCallFrame.
(JSC::Machine::execute): Updated to use the register instead of
ExecState and also removed various uses of ExecState.
(JSC::Machine::debug):
(JSC::Machine::privateExecute): Put globalData into a local
variable so it can be used throughout the interpreter. Changed
the VM_CHECK_EXCEPTION to get the exception in globalData instead
of through ExecState.
(JSC::Machine::retrieveLastCaller): Turn exec into a registers
pointer by calling registers() instead of by getting m_callFrame.
(JSC::Machine::callFrame): Ditto.
Tweaked exception macros. Made new versions for when you know
you have an exception. Get at global exception with ARG_globalData.
Got rid of the need to pass in the return value type.
(JSC::Machine::cti_op_add): Update to use new version of exception
macros.
(JSC::Machine::cti_op_pre_inc): Ditto.
(JSC::Machine::cti_timeout_check): Ditto.
(JSC::Machine::cti_op_instanceof): Ditto.
(JSC::Machine::cti_op_new_func): Ditto.
(JSC::Machine::cti_op_call_JSFunction): Optimized by using the
ARG values directly instead of through local variables -- this gets
rid of code that just shuffles things around in the stack frame.
Also get rid of ExecState and update for the new way exceptions are
handled in slideRegisterWindowForCall.
(JSC::Machine::cti_vm_compile): Update to make exec out of r since
they are both the same thing now.
(JSC::Machine::cti_op_call_NotJSFunction): Ditto.
(JSC::Machine::cti_op_init_arguments): Ditto.
(JSC::Machine::cti_op_resolve): Ditto.
(JSC::Machine::cti_op_construct_JSConstruct): Ditto.
(JSC::Machine::cti_op_construct_NotJSConstruct): Ditto.
(JSC::Machine::cti_op_resolve_func): Ditto.
(JSC::Machine::cti_op_put_by_val): Ditto.
(JSC::Machine::cti_op_put_by_val_array): Ditto.
(JSC::Machine::cti_op_resolve_skip): Ditto.
(JSC::Machine::cti_op_resolve_global): Ditto.
(JSC::Machine::cti_op_post_inc): Ditto.
(JSC::Machine::cti_op_resolve_with_base): Ditto.
(JSC::Machine::cti_op_post_dec): Ditto.
(JSC::Machine::cti_op_call_eval): Ditto.
(JSC::Machine::cti_op_throw): Ditto. Also rearranged to return
the exception value as the return value so it can be used by
op_catch.
(JSC::Machine::cti_op_push_scope): Ditto.
(JSC::Machine::cti_op_in): Ditto.
(JSC::Machine::cti_op_del_by_val): Ditto.
(JSC::Machine::cti_vm_throw): Ditto. Also rearranged to return
the exception value as the return value so it can be used by
op_catch.

kjs/DebuggerCallFrame.cpp:
(JSC::DebuggerCallFrame::functionName): Pass globalData.
(JSC::DebuggerCallFrame::evaluate): Eliminated code to make a
new ExecState.

kjs/DebuggerCallFrame.h: Removed ExecState argument from
constructor.

kjs/ExecState.h: Eliminated all data members and made ExecState
inherit privately from Register instead. Also added a typedef to
the future name for this class, which is CallFrame. It's just a
Register* that knows it's a pointer at a call frame. The new class
can't be constructed or copied. Changed all functions to use
the this pointer instead of m_callFrame. Changed exception-related
functions to access an exception in JSGlobalData. Removed functions
used by CTI to pass the return address to the throw machinery --
this is now done directly with a global in the global data.

kjs/JSGlobalData.h: Declare two new globals. One for the current
exception and another for the return address used by CTI to
implement the throw operation.

kjs/JSGlobalObject.cpp:
(JSC::JSGlobalObject::init): Removed code to set up globalExec,
which is now the same thing as globalCallFrame.
(JSC::JSGlobalObject::reset): Get globalExec from our globalExec
function so we don't have to repeat the logic twice.
(JSC::JSGlobalObject::mark): Removed code to mark the exception;
the exception is now stored in JSGlobalData and marked there.
(JSC::JSGlobalObject::globalExec): Return a pointer to the end
of the global call frame.

Adds support to the Web Inspector's Elements panel for fast tag name,
class name, id and attribute name searching. The panel first tries
using getElementById, getElementsByClassName and getElementsByTagName
with the search query. Then does a slower search using XPath for partial
matches, text and comment matches.

Adds support for search queries like "<div>", "<h" and "frame>".
These forms limit the search to tag names, text and comment matches.

Changes how searching works in the Web Inspector's Elements
panel. The search tasks are divided into chunks that are small
units of work that are performed at a time interval. This
change also prevents queries that will select all elements,
since that isn't useful.

page/inspector/ElementsPanel.js:
(WebInspector.ElementsPanel.prototype.searchCancled):
Remove the searchResultsProperty form results since there might
be an unfinished search.
(WebInspector.ElementsPanel.prototype.performSearch): Divide the
documents and search functions into chunks that are performed on
a interval of 25ms. Prevent searches for "*" and "*".

I changed things so that functions which use "this" do a fast
version of toThisObject conversion if needed. Currently we miss
the conversion entirely, at least for primitive types. Using
TypeInfo and the primitive check, I made the fast case bail out
pretty fast.

This is inexplicably an 1.007x SunSpider speedup (and a wash on V8 benchmarks).

The curl_off_t integer type has a different size depending if large
file support is enabled or not. There is no different public API for
the two cases, so the same function accepts a different type based on
a compilation option the could be different in WebKit and libcurl.
To fix the bug we query libcurl at runtime for large file support and
pass the right type based on that.

1) Rename FeatureInfo typedef to CodeFeatures.
2) Rename NodeFeatureInfo template to NodeInfo.
3) Keep CodeFeature bitmask in ScopeNode instead of trying to break it out into individual bools.
4) Rename misleadingly named "needsClosure" method to "containsClosures", which better describes the meaning
of ClosureFeature.
5) Make setUsersArguments() not take an argument since it only goes one way.

A fix was landed for this issue in r37253, and the ChangeLog assumes
that it is a compiler bug, but it turns out that it is a subtle issue
with mixing signed and unsigned 32-bit values in a 64-bit environment.
In order to properly fix this bug, we should convert our signed offsets
into the register file to use ptrdiff_t.

This may not be the only instance of this issue, but I will land this
fix first and look for more later.

bridge/qt/qt_runtime.cpp: Remove long-obsolete codeType and
execute functions. Declarations for these relied on the CodeType
enumeration, which used to be in ExecState.h; but the functions
aren't needed at all.

VM/CTI.cpp:
(JSC::CTI::emitSlowScriptCheck): Changed to use ARGS_globalData
instead of ARGS_exec.

VM/CTI.h: Added a new argument to the CTI, the global data pointer.
While it's possible to get to the global data pointer using the
ExecState pointer, it's slow enough that it's better to just keep
it around in the CTI arguments.

kjs/ExecState.h: Removed m_globalObject and m_globalData.
Moved CodeType into another header.
(JSC::ExecState::ExecState): Take only a single argument, a
call frame pointer.
(JSC::ExecState::dynamicGlobalObject): Get the object from
the first call frame since it's no longer stored.
(JSC::ExecState::globalData): Get the global data from the
scope chain, since we no longer store a pointer to it here.
(JSC::ExecState::identifierTable): Ditto.
(JSC::ExecState::propertyNames): Ditto.
(JSC::ExecState::emptyList): Ditto.
(JSC::ExecState::lexer): Ditto.
(JSC::ExecState::parser): Ditto.
(JSC::ExecState::machine): Ditto.
(JSC::ExecState::arrayTable): Ditto.
(JSC::ExecState::dateTable): Ditto.
(JSC::ExecState::mathTable): Ditto.
(JSC::ExecState::numberTable): Ditto.
(JSC::ExecState::regExpTable): Ditto.
(JSC::ExecState::regExpConstructorTable): Ditto.
(JSC::ExecState::stringTable): Ditto.
(JSC::ExecState::heap): Ditto.

kjs/FunctionConstructor.cpp:
(JSC::FunctionConstructor::FunctionConstructor): Pass
JSGlobalData* instead of ExecState* to the InternalFunction
constructor.
(JSC::constructFunction): Pass the global data pointer when
constructing a new scope chain.

kjs/InternalFunction.cpp:
(JSC::InternalFunction::InternalFunction): Take a JSGlobalData*
instead of an ExecState*. Later we can change more places to
work this way -- it's more efficient to take the type you need
since the caller might already have it.

kjs/InternalFunction.h: Ditto.

kjs/JSCell.h:
(JSC::JSCell::operator new): Added an overload that takes a
JSGlobalData* so you can construct without an ExecState*.

kjs/JSGlobalObject.cpp:
(JSC::JSGlobalObject::init): Moved creation of the global scope
chain in here, since it now requires a pointer to the global data.
Moved the initialization of the call frame in here since it requires
the global scope chain node. Removed the extra argument to ExecState
when creating the global ExecState*.

kjs/JSGlobalObject.h: Removed initialization of globalScopeChain
and the call frame from the JSGlobalObjectData constructor. Added
a thisValue argument to the init function.

kjs/JSNumberCell.cpp: Added versions of jsNumberCell that take
JSGlobalData* rather than ExecState*.

kjs/ScopeChain.h: Added a globalData pointer to each node.
(JSC::ScopeChainNode::ScopeChainNode): Initialize the globalData
pointer.
(JSC::ScopeChainNode::push): Set the global data pointer in the
new node.
(JSC::ScopeChain::ScopeChain): Take a globalData argument.

bindings/js/JSDOMWindowBase.cpp:
(WebCore::JSDOMWindowBase::JSDOMWindowBaseData::JSDOMWindowBaseData):
Removed an argument now that JSGlobalObject doesn't need it any more.
(WebCore::JSDOMWindowBase::JSDOMWindowBase): Removed the argument from
the JSDOMWindowBaseData constructor, and added the this argument to the
JSGlobalObject constructor. This is because a couple key bits of
initialization moved from the data constructor to the JSGlobalObject
constructor.

Add a workaround for a bug in GCC, which affects GCC 4.0, GCC 4.2, and
llvm-gcc 4.2. I put it in an #ifdef because it was a slight regression
on SunSpider in 32-bit, although that might be entirely random.

Preparation for enabling scrollbars to hit test properly inside transforms. Clean up the scrollbar
event handlers to no longer be virtual. Don't pass a mouse event where none is needed. Add a new
method on Scrollbars called transformEvent that will apply all of the transforms to make a new event
that will work properly for hit testing. This patch just stubs out that method to return the same
event untransformed.

Instead of a cross-platform init/destroy that forces every ScrollView platform to have a constructor/
destructor that calls them, switch to having a cross-platform constructor/destructor that calls
platform-specific init/destroy methods.

With this change, ScrollViewWin.cpp can be removed from the build (yay!).

kjs/JSGlobalData.cpp:
(JSC::JSGlobalData::~JSGlobalData): Remove call to heap.destroy() because
it's too late to ref the JSGlobalData object once it's already being
destroyed. In practice this is not a problem because WebCore's JSGlobalData
is never destroyed and JSGlobalContextRelease takes care of calling
heap.destroy() in advance.

(1) Make invalidateRect a pure virtual function on Widget. All leaf widgets must now implement this function.

(2) Scrollbars now send invalidations through the ScrollbarClient. windowClipRect on ScrollbarClient has been removed and replaced with this invalidation call.
This allows all scrollbar invalidations to go through the render tree so that transforms and reflections will be respected.

(3) Plugins now have the native window invalidation code for windowed plugins. Windowless plugins do a repaintRectangle on the plugin's renderer.

(4) FrameViews now do a repaintRectangle on their owner element's renderer.

(1) Make invalidateRect a pure virtual function on Widget. All leaf widgets must now implement this function.

(2) Scrollbars now send invalidations through the ScrollbarClient. windowClipRect on ScrollbarClient has been removed and replaced with this invalidation call.
This allows all scrollbar invalidations to go through the render tree so that transforms and reflections will be respected.

(3) Plugins now have the native window invalidation code for windowed plugins. Windowless plugins do a repaintRectangle on the plugin's renderer.

(4) FrameViews now do a repaintRectangle on their owner element's renderer.

(1) Make invalidateRect a pure virtual function on Widget. All leaf widgets must now implement this function.

(2) Scrollbars now send invalidations through the ScrollbarClient. windowClipRect on ScrollbarClient has been removed and replaced with this invalidation call.
This allows all scrollbar invalidations to go through the render tree so that transforms and reflections will be respected.

(3) Plugins now have the native window invalidation code for windowed plugins. Windowless plugins do a repaintRectangle on the plugin's renderer.

(4) FrameViews now do a repaintRectangle on their owner element's renderer.

10/02/08:

make font-face elements take effect only when they are in the document tree

Test: svg/custom/font-face-not-in-document.svg

svg/SVGFontData.h: Changed the m_svgFontFaceElement member from a
RefPtr to a plain pointer to break a ref cycle.
(WebCore::SVGFontData::svgFontFaceElement):

svg/SVGFontFaceElement.cpp: Changed to insert and remove the
@font-face rule from the document's mapped element sheet when the
element is inserted and removed from the document, and to update it
only when the element is in the document.
(WebCore::SVGFontFaceElement::SVGFontFaceElement):
(WebCore::SVGFontFaceElement::parseMappedAttribute):
(WebCore::SVGFontFaceElement::rebuildFontFace):
(WebCore::SVGFontFaceElement::insertedIntoDocument):
(WebCore::SVGFontFaceElement::removedFromDocument):
(WebCore::SVGFontFaceElement::childrenChanged):
(WebCore::SVGFontFaceElement::removeFromMappedElementSheet):

html/HTMLInputElement.cpp:
(WebCore::HTMLInputElement::setValue): Check that its a text field before calling updatePlaceholderVisibility.
(WebCore::HTMLInputElement::setValueFromRenderer): ditto.
(WebCore::HTMLInputElement::updatePlaceholderVisibility): Instead of calling setChanged(), call updatePlaceholderVisibility on the renderer.
setChanged wouldn't actually trigger setStyle since the style for the input element won't actually change.

rendering/RenderTextControl.cpp:
(WebCore::RenderTextControl::createInnerTextStyle): Get the pseudoStyle when the placeholder is visible.
(WebCore::RenderTextControl::updatePlaceholderVisibility): Sets the style on the inner text block, and calls updateFromElement so
the text will be updated correctly.

API/JSBase.cpp:
(JSEvaluateScript): Use heap. instead of heap-> to work with the heap.
(JSCheckScriptSyntax): Ditto.
(JSGarbageCollect): Ditto.
(JSReportExtraMemoryCost): Ditto.

API/JSContextRef.cpp:
(JSGlobalContextRetain): Ditto.
(JSGlobalContextRelease): Destroy the heap with the destroy function instead
of the delete operator.
(JSContextGetGlobalObject): Use heap. instead of heap-> to work with the heap.

kjs/ExecState.h:
(JSC::ExecState::heap): Update to use the & operator.

kjs/JSGlobalData.cpp:
(JSC::JSGlobalData::JSGlobalData): Update to initialize a heap member
instead of calling new to make a heap.
(JSC::JSGlobalData::~JSGlobalData): Destroy the heap with the destroy
function instead of the delete operator.

kjs/JSGlobalData.h: Change from Heap* to a Heap.

kjs/JSGlobalObject.cpp:
(JSC::JSGlobalObject::mark): Use the & operator here.
(JSC::JSGlobalObject::operator new): Use heap. instead of heap-> to work
with the heap.

Changed the m_element member of CSSCanvasValue from a RefPtr to a plain
pointer, as the document owns the canvas elements. Added code to release
those elements in Document::removedLastRef() because they reference
the document.

Make updateScrollbars cross-platform. For now a stubbed out scrollContents function is invoked to do the scrolling of the backing store. Next patch
will make that cross-platform.

The ScrollView now implements ScrollbarClient, which means that there was a clash of windowClipRect methods from the
multiple inheritance. For now I solved this by adding a Scrollbar* to the ScrollbarClient version of the method, but longer term
windowClipRect is going to be removed from ScrollbarClient (when Widget invalidation gets rewritten).

Make updateScrollbars cross-platform. For now a stubbed out scrollContents function is invoked to do the scrolling of the backing store. Next patch
will make that cross-platform.

The ScrollView now implements ScrollbarClient, which means that there was a clash of windowClipRect methods from the
multiple inheritance. For now I solved this by adding a Scrollbar* to the ScrollbarClient version of the method, but longer term
windowClipRect is going to be removed from ScrollbarClient (when Widget invalidation gets rewritten).

Change bitwise operations introduced in r37166 to boolean operations. We
only use bitwise operations over boolean operations for increasing
performance in extremely hot code, but that does not apply to anything
in the parser.

bindings/js/JSDOMBinding.h:
(WebCore::createDOMObjectWrapper):
(WebCore::getDOMObjectWrapper):
Wrapper map is now kept as JSGlobalData::clientData. Also changed debug-only wrapperSet
to be per-thread (this is slower than going to JSGlobalData, but fast enough for debug).
WebCore objects can never migrate between threads.